diff options
| author | Jamie Lennox <jamielennox@redhat.com> | 2015-04-02 10:15:29 +1100 |
|---|---|---|
| committer | Jamie Lennox <jamielennox@redhat.com> | 2015-04-09 10:48:30 +1000 |
| commit | e79d571aa6a8f036e7d9acb2dcb104f8a9c51259 (patch) | |
| tree | fa407e32e4a29b419c7aa40955e456793f31b419 /keystoneclient/auth | |
| parent | eb98b0856809e5a870ea2d2d938e3e37ba209d80 (diff) | |
| download | python-keystoneclient-e79d571aa6a8f036e7d9acb2dcb104f8a9c51259.tar.gz | |
Increase minimum token life required
MIN_TOKEN_LIFE_SECONDS is the number of seconds that the token provided
must be valid for to be used when making authentication requests. 1
second has always been a dumb number and was not based on any existing
value.
Because a user token may be reused by a service to make requests on
behalf of a user if the token is valid when sent it may not be valid for
the life of the request.
2 minutes is also an arbitrary value, but it should allow plenty of time
for service requests to complete before being rejected.
Closes-Bug: #1441910
Change-Id: I395a0770e72d1ec7904e656ca382a5270f793a8b
Diffstat (limited to 'keystoneclient/auth')
| -rw-r--r-- | keystoneclient/auth/identity/base.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/keystoneclient/auth/identity/base.py b/keystoneclient/auth/identity/base.py index d8cd2a6..75c6d7f 100644 --- a/keystoneclient/auth/identity/base.py +++ b/keystoneclient/auth/identity/base.py @@ -34,8 +34,9 @@ def get_options(): @six.add_metaclass(abc.ABCMeta) class BaseIdentityPlugin(base.BaseAuthPlugin): - # we count a token as valid if it is valid for at least this many seconds - MIN_TOKEN_LIFE_SECONDS = 1 + # we count a token as valid (not needing refreshing) if it is valid for at + # least this many seconds before the token expiry time + MIN_TOKEN_LIFE_SECONDS = 120 def __init__(self, auth_url=None, |